Security Questionnaire

What is the product?

Papereg is a form management and document processing platform for organizations. It supports form creation, submission collection, AI-powered document extraction, reporting, and third-party app integrations.

Where is the company based?

United States (Texas)

How is the product delivered?

Papereg is a hosted SaaS application accessed via web browser. There is no on-premises deployment option.

Where is data hosted?

United States. Infrastructure runs on managed cloud services.

Is customer data isolated?

Yes. Papereg uses schema-based multi-tenancy — each workspace gets its own PostgreSQL schema, providing database-level data isolation.

Do you support single-tenant deployments?

Not at this time.

What database do you use?

PostgreSQL with schema-per-tenant isolation.

How are passwords stored?

Passwords are hashed with bcrypt before storage. Plaintext passwords are never stored or logged.

Do you support MFA?

Not yet. MFA support is planned.

Do you support SSO (SAML/OIDC)?

Not yet. SSO is planned for enterprise plans.

How are API tokens managed?

API tokens are SHA-256 hashed. They support configurable expiration, scoped permissions, and are automatically invalidated when the creator loses workspace membership.

Do you have role-based access control?

Yes. Four workspace roles (Owner, Manager, Supervisor, User) with 26 configurable permission keys. Field-level access control restricts individual form fields by role.

Is data encrypted in transit?

Yes. HTTPS is enforced with HSTS. Database connections use SSL.

Is data encrypted at rest?

Sensitive integration secrets (OAuth tokens, API keys, signing secrets) are encrypted at the application layer using AES-GCM. General form submission data relies on database-level and storage-level encryption provided by the hosting infrastructure.

How are encryption keys managed?

Application-level encryption keys are derived from the application's secret key base. Infrastructure-level keys are managed by the cloud provider.

Do you maintain audit logs?

Yes. Submission views, edits, status changes, data exports, API access, and report generation are logged with user, action, and timestamp.

How long are logs retained?

Audit logs are retained for the lifetime of the workspace. A formal retention schedule is not yet documented.

Do you have security monitoring?

Error monitoring via Sentry (when enabled). Static security analysis (Sobelow) and dependency CVE scanning (mix_audit) are available in the development pipeline.

How do you prevent XSS?

All user-generated HTML content (markdown, embedded media) is processed through an allowlist-based HTML sanitizer. Template output is auto-escaped by the framework.

How do you prevent SQL injection?

All database queries use parameterized queries via the Ecto ORM. Dynamic schema names are validated against a strict regex pattern before any DDL execution.

How do you prevent CSRF?

Phoenix framework provides built-in CSRF token verification on all state-changing operations.

How do you prevent SSRF?

Outbound HTTP requests (webhooks, oEmbed) validate target URLs by resolving DNS and checking against private, loopback, link-local, and cloud metadata IP ranges. Automatic redirects are disabled for webhooks.

Do you do penetration testing?

Not yet. Penetration testing is planned as part of our security maturity roadmap.

Do you have a vulnerability disclosure program?

Yes. Security issues can be reported to privacy@papereg.com. A formal bug bounty program is not yet in place.

Do you scan dependencies for vulnerabilities?

Yes. mix_audit checks for known CVEs in dependencies. Sobelow performs static security analysis on the Phoenix application.

What personal data do you process?

Account data (email, name), workspace configuration, form submissions and field data, file attachments. Specific submission data categories depend on how customers configure their forms.

Do you use AI/ML on customer data?

Only when explicitly initiated by users. Anthropic Claude analyzes uploaded documents for form/submission extraction. Per Anthropic's API terms, this data is not used for model training.

Do you share data with third parties?

Only with the subprocessors listed in our security page (Anthropic, AWS S3, Resend, optionally Sentry) and any integrations explicitly configured by the workspace administrator (e.g., Zoho Bigin).

What is your data retention policy?

Data is retained while the account/workspace is active. Workspace deletion removes all associated data. A formal retention schedule with automated purge is not yet documented.

Can customers export their data?

Yes. Submissions can be exported via CSV, Excel, Markdown, or the REST API. Individual submissions can be exported as PDF.

What happens to data on termination?

Customers can export all data before termination. Deleting a workspace removes the entire tenant schema and all stored files.

Are you SOC 2 certified?

No.

Are you ISO 27001 certified?

No.

Are you HIPAA compliant?

No. Papereg is not currently suitable for HIPAA-regulated data without a BAA, which we do not offer at this time.

Are you GDPR compliant?

We implement many GDPR-aligned practices (data minimization, export/deletion capabilities, processor terms in our DPA) but do not claim full GDPR compliance. See our Privacy Policy and DPA for details.

Do you offer a DPA?

Yes. A Data Processing Addendum is available. Contact privacy@papereg.com for a signable version.

What is your uptime SLA?

We do not currently offer a formal uptime SLA.

Do you have a disaster recovery plan?

Formal backup schedules and disaster recovery procedures are not yet documented for customer review.

Do you have an incident response plan?

Security issues can be reported to privacy@papereg.com. A formal incident response plan with defined SLAs is in development.